Port forward from green to green

I have IPFire working well for almost everything. But, I am struggling with port forwarding from IPFire’s green interface to another host on the green network. I’d like to do that because I’m resolving home.craigshouse.com to the Internet address for external DNS and to IPFire’s green interface address for internal lookups.

Is it possible to nat ipfire(green) → another host on green?

Short answer: the question as formulated is wrong.

Long answer below.

Port forward is a destination NAT. NAT stands for Network Address Translation and it is used to translate the traffic from many private addresses (like the machines in the green network of your IPFire) to one public IP address e.g the one that your provider gives to you.

The most common type of NAT is not a destination NAT but a source NAT. In this case, a machine connected to the green network initiate an outbound traffic to communicate with an internet server. IPFire therefore will keep track of the traffic originated from the green IP in both directions using an internal table that allows the rewriting of the public to the private IP and vice-versa. This will allow many different private nodes to share one public address.

Now, let’s consider the opposite problem. You have a server in your green IP space. This machine will not initiate the traffic as in the previous example, but will be ready to answer to any incoming traffic knocking to its door (so to speak) at a specific port (say port 80 for web traffic). In this case, if you have the correct set of rules in the firewall, IPFire will do the same operation but in the opposite direction, translating the IP address of the incoming traffic to forward it to the internal IP address where the server application is waiting at that specified port to send back an answer.

Now to your question: this situation does not apply to two machines living in the same IP space because no translation is necessary. They can freely talk to each other as they share the same IP space. In this case, the traffic might not even go trough your firewall, if you have a switch coordinating the traffic of your green network.

As for your problem, I did not understand what you are trying to accomplish therefore I am unable to offer any suggestion.

EDIT: it did occur to me after reading again your message, that your question was whether it is possible to host a server in the Green IP space. That would completely defeat the purpose of the firewall as it would expose your protected network to incoming traffic from the internet side, however I believe it could possible (although I might be wrong). I know that you can allow a machine in the orange or blue network to communicate to a machine in the green network by opening a pinhole in the firewall. If this is allowed also from the red interface, I do not know.


I can see that I worded my question incorrectly…

I have my ipfire set up to port forward from the Internet to some servers in the green network. I have an external DNS name that resolves to ipfire’s red IP address and those services that I forward ports for work great from the internet. I’m hoping to have internal DNS point to IP fires green address and set up the exact same port forwards so that the internal IP will have the same services available as the external one.

Let me try to rephrase to make sure I understand correctly your problem. You have a bunch of servers sitting in your green zone. You have also a public DNS server with entries corresponding to those servers, pointing to your public IP. Anyone using the DNS system can connect to your public IP and due to the port forward rules of the firewall, the traffic correctly reaches your servers in the green IP space.

Now, you want other machines in the green network to be able to work with the same DNS entries to connect with the same servers but from inside the green network, and this for some reason does not work.

I have a web server in the orange network and I can reach it from any public IP in internet as well as from any machine in my private green network. If you move your servers in the orange IP space the problem should go away.

I do not know why this does not work when both servers and clients are in the same green IP space. It must be some weird problem between the source NAT of the client and the destination NAT of the server.

The way I would try to solve the problem is to have a local DNS entry, working only inside the green IP space, pointing not to the public IP but directly to the Green IP addresses of the servers, overriding the public DNS entry for the same servers. No idea if this can work, but maybe you can have a dedicated private DNS server and forward to it the requests from the local network using DNS forward entries? No idea if this would work, but I got nothing else to suggest.